Firefox fixes critical buffer overflow

Earlier this month Mozilla announced a security advisory (MFSA2018-14) for its Firefox browser, noting that version 60.0.2 of both Firefox and Firefox Extended Support Release (ESR) as well as the legacy ESR (ESR 52.8.1) now have a fix for a critical-level buffer overflow vulnerability.

The buffer overflow bug, discovered by Ivan Fratric of Google Project Zero, occurs within Firefox’s implementation of the Skia library, an open-source graphics library that is used by almost all of the mainstream browsers.

Skia is used for rendering and rasterizing images and text, and Fratric found that an attacker could trigger a buffer overflow during the rasterization process if they use a malicious SVG image file with anti-aliasing turned off. The Mozilla advisory says this buffer overflow could result in “a potentially exploitable crash.”

We don’t know many specifics beyond that, but since this vulnerability was rated critical by Mozilla, that means it could have allowed an attacker to execute code without any user interaction beyond just normal use and browsing – all you’d have to do is visit the wrong website.

The fixed versions of Firefox became available on 6 June, so if you’ve run your browser lately the chances are its already patched.

Subscribe to PHI via Email

Enter your email address to subscribe to PHI and receive notifications of new posts by email.

Join 3,123 other subscribers

Email Address

PROFESSIONAL HACKERS INDIA

We are proud to offer premier information security updates, IT updates, Core Tools And Techniques across the globe. Our mission is to make the internet more secure, more trendy, more aware and more reliable.